SSL Help

Django x2 · 3 Aug 2013 at 22:20

Hi All,

This is annoying me now. A company I've taken over looking after have external.com and internal.com domains. acb.com and xyz.com we'll call them

Exchange 2013 and they have just got a SAN (UC) Cert. They added mail.abc.com and server.xyz.com to the cert. However, xyz.com is actually an owned domain by someone and the SSL provider needs it to be verified.

I know this has all started because of the changes to SSL certs, but how can I resolve this. Really, changing the internal domain name to match abc.com is one way, but that is going to be challenging given the Exchange server.

The Outlook clients are all moaning that there is a certificate mismatch, etc

Pho · 3 Aug 2013 at 22:30

I'm not a server person at all, but given that it's all domained can't you just issue the cert from your own certificate authority therefore it's automatically trusted by domain users?

Or just self-sign it and push it out to everyone's trusted keystore via GPO?

Django x2 · 3 Aug 2013 at 22:34

I can, but then you won't be able to use Outlook anywhere, etc

Ethermaster · 3 Aug 2013 at 23:13

can't you just setup a trust between domain A and domain B so that the SSL cert issue can be bypassed?

Django x2 · 3 Aug 2013 at 23:25

probably. how do I do that?

Burnsy2023 · 3 Aug 2013 at 23:50

So are you saying that you don't own your external domain name?

Django x2 · 3 Aug 2013 at 23:53

No, they own the external domain, but not the internal domain, as I assume most companies don't (or didn't). Of course, for the SAN, you need to add the server name, but because that is server.internal.com the issuing authority won't issue it without the owner of internal.com accepting it.

So, the person who owns the domain name (that it just so happens is the internal domain name here) will have had an email from the CA asking them to verify ownership

ie, this scenario....

http://exchangeserverpro.com/how-to...er-2010-from-a-private-certificate-authority/

Burnsy2023 · 4 Aug 2013 at 00:01

I see. This is why it's people use .local suffixes for internal domains.

The answer is to self sign a certificate for internal connections and use a different certificate for external connections.

Django x2 · 4 Aug 2013 at 09:50

What's the process there. Create another Exchange cert and publish it through our internal CA and then add that back to the Exchange server?

Caged · 4 Aug 2013 at 20:11

Burnsy2023 said:
I see. This is why it's people use .local suffixes for internal domains.

The answer is to self sign a certificate for internal connections and use a different certificate for external connections.

Never use .local, it becomes almost impossible to use Exchange 2013 and Autodiscover due to the SSL issues. MS have been advising against .local for years now, despite Small Business Server still making domains with that in them.